Login

Smart Cards: An Introduction

In this article I’m going to present you with a quick overview of the Smart Cards and then move on to exploring the ways they can be integrated to existing services in order to provide value added services or a new range of secure application.

“It’s a small world.” It’s no more just a saying — it is a reality today.
The ways people communicate and transact business have changed drastically from
what it used to be. The advancements in the digital communication and the
embedded industry have a great impact on this. The way business is done has also
evolved from the pay-n-take transaction model to the online transaction model
where one can complete a sale or any similar transaction just a few mouse
clicks.

In such a world enterprises can provide value-added services and enhance
their customer base as most banking and retail chains have done by giving out
free services such as online banking, the option to buy and sell stocks online,
etc. This applies to large corporations and small businesses like a coffee shop
that provides its customers Wi-Fi access to the Internet while they enjoy their
coffee. The success of such transactions and the business using them relies on
the level of security and service competence offered by the vendor.

Smart Cards have been here for quite sometime now. Although the development
initiated 35 years ago in 1968, it was ten years later that they were made
available to mass use. Apart from the security features and ease of use, Smart
Cards also provide the user with a safe and effective way to conduct e-business
and enjoy the luxury of the value-added services provided by vendors. This has
enabled Smart Cards to make their way into millions of lives.

{mospagebreak title=Use and Types of Smart Cards}

Is a “smart card” the same plastic card that I use at the ATM? No, probably
not. The ATM cards are just plastic cards with a magnetic stripe bearing some
information. A Smart Card is really smart. You might ask why?

The old ATM cards and other proprietary magnetic stripe cards do not provide
security and do not have any embedded hardware in them. They’re more like an
audio tape which can be tampered with! Smart cards are really a Smart Solution
to provide security bundled with ease of use. Most Smart cards, if not all,
incorporate an integrated circuit chip (ICC) on the plastic card. This ICC is
usually a micro-controller with limited computational power and I/O support. ISO
uses the term, Integrated Circuit Card (ICC) to identify all those devices where
an integrated circuit is contained within an ISO ID1 identification card piece
of plastic. The card is 85.6mm x 53.98mm x 0.76mm and is the same as any other
standard magnetic stripe card.

Types of Smart Cards

These Integrated Circuit Cards come in two forms when we categorize them
based on the way we use tem, contact and contact-less. The former is easily
identified due to its characteristic gold connector plate.

Figure 1

Originally the ISO Standard (7816-2) defined eight contacts, but only 6 are
actually used to communicate with the outside world and rest two are marked as
RFU (Reserved for future use). The contact-less cards optionally may contain its
own power source, however mostly the operating power is provided to the
contact-less card by means of an inductive loop that uses low frequency
electronic magnetic radiation. The signals needed for communication with the
reader devices may be transmitted in a similar way or can use capacitive
coupling or even an optical connection (IR).

The Contact card is the most widely used ICC to date largely because of its
use as telephone prepayment card. Yes! The SIM card that we you use in our cell
phones is just a Smart card without the plastic base. Most contact cards contain
only a simple integrated circuit although some also use two chips; the other one
is used to perform complex cryptographic computations (which I’ll explain
shortly). The chip itself varies considerably between vendors and each takes it
own way of programming application for it, but the Java Card™ initiative by Sun
has made it a breeze to write Smart Card applications that can be downloaded
onto the memory of these cards and can execute on any type of chip which
supports the Java Card runtime environment. I’ll come to programming the Smart
cards in next article of this series.

Figure 2

Let us now consider the use of the 6 contacts used by the ICC:

Vcc is the supply voltage that drives the chips and is
generally 3 to 5 volts with 10% deviation allowed. It used to be in 5-volt range
prior to the recent move towards low power devices to make these cards.

Vss/GND pin is used to provide the substrate or ground
reference voltage against which the Vcc potential is measured. It is usually 0
volts.

Reset is the signal line that is used to send the signal to
the integrated circuit in order to reset it. This is a complex process that we
shall describe later in more detail. There are two ways a card is reset:

Warm Reset: When a Signal is sent through this pin to reset the ICC.

Cold Reset: When the supply voltage is turned off and on again. Ejecting the
card out and inserting again will have the same effect.

Clock pin is used to drive the logic of the embedded IC and
is also used as the reference for the serial communications synchronization.
This pin is provided because the ICC doesn’t have any clock generator onboard
and needs this as external input. The card reader device provides this clock.
The clock frequency is 5MHz generally but many high end ICCs use frequency
multipliers to operate at higher frequencies up to 40 MHz.

Vpp pin is now optional and used only in old cards.
Previously it was used for the high voltage signal that is necessary to program
the EPROM memory. It was provided with two voltage levels. The lower one (or the
idle state) is held down by the Card Reader device, until the higher level (or
the active state) is required.

I/O pin is the serial input/output (SIO) connector. This is
the signal line by which the underlying circuit receives commands and
interchanges data with the outside world. This process will be explained in more
detail when we talk about programming applications that receive these commands.

{mospagebreak title=The ICC and Harvard Architecture}

The ICC itself

The ICC cards usually employ a low power micro-controller like Intel® 8051 or
AVRs from ATMEL® as the core CPU with the clock frequency up to 5 MHz or so.
These micro-controllers are available in 8, 16 or 32 bit flavors. Basically the
decision is governed by the requirements of the applications the card needs to
support.

The architecture of these CPUs varies as I mentioned above. The Intel uses
the Von Neumann architecture where as the AVRs from ATMEL use the Harvard
architecture.

Also some ICCs also use two CPUs just to enhance their capabilities. For
providing advanced security features such as using RSA for cryptography much
more processing power is required so this is provided the help of these special
purpose co-processors. The ICCs with these chips are expensive as compared to
single chip ICCs.

{mospagebreak title=Memory in Smart Cards}

So the chip contains CPU but it’ll need to have some memory if at all it
wants to process something and do some computations. Well, the primary use of
the IC card had been for the portable storage and retrieval of data but now they
provide very advanced security features like storing private keys and
certificates for authenticating users to some external system, for example a
secure website. Hence another fundamental component of the IC is a memory
module. The following list represents the most commonly used memory types:

ROM Read only memory (mask ROM)

EEPROM Electrically erasable PROM

RAM Random access memory

A particular chip may have any combination of these memory types. Each of
these memory types possesses particular characteristics that determine their
usability in a particular ICC.

The ROM: These types of memories, some times also referred
to as persistent non-mutable, are fixed and can’t be changed once manufactured
by the semiconductor company. This is a low cost memory, because it occupies
minimum space on the silicon substrate and the manufacturing is also less
complex.

The EEPROM: This memory is electrically erasable and
programmable by the user and can be rewritten many times (about a million
times).

All of these memories described above are non-volatile. That is they retain
their contents when the power is removed.

The random access memory (RAM): This is the most common one
because every single desktop on the planet uses them. This memory is volatile
memory and the data content is lost as soon as the power is removed.

The requirement of the memory and its type varies in accordion with the
requirement and the place where the smart card is to be employed for example one
card utilize a little EEPROM memory (128 – 512 bytes) and a simple memory
control logic for a telephone card and in case of ATM transaction or for
provision of higher security the smart card may employ CPU, additional
coprocessor and RAM, ROM or EEPROM, FLASH ROM with a greater storage capability.
Additional co processor is required for encryption process or for carrying out
additional calculations. The smart term is associated with these cards because
of their capability to perform the calculation with the help of CPU embedded in
the chip inside the card during the manufacturing process.

The control logic provides protection system in the card so that it can be
used by a fake person in addition with the task of carrying out communication
protocols. The ICC has security intrinsically built in and it does provide a
tamper resistant domain that is tricky to match with the somewhat larger
security boxes that handle cryptographic processes. Different types of ICC can
be differentiated on the basis of their content such as given below:

Memory only ICC

Memory with security logic

Memory with CPU

Smart card employs some form of access code for accessing memory through the
security logic. The access code size, which is used for the authorized access of
the memory may be quite large i.e. 64 bits or more. The use of EEPROM memory is
not considered safe for the cards, which are to be used for making the financial
transactions as fraudsters can obtain a financial advantage by unauthorized use.
The smart card that employs CPU or additional processor for the cryptographic
purpose have the associated benefit in regard of security features and can be
safely used for the use of transaction or other security concerns safely.

The term application that is widely associated with the Smart Card, implies
the software or programs that the IC implements. The program may be in the form
of a file manager for organizing the storage and retrieval of data or for
carrying out complex calculations. These applications are fully implemented in
the logic of the chip. Smart cards employs the communications logic for carrying
out the communication with the host, through this logic, chip accepts commands
from the card acceptance device (CAD) and receives and transmits the application
data. Since the CPU is capable of carrying out complex calculations, the ICC
which contains a CPU can handle more sophisticated applications and even multi
applications.

{mospagebreak title=Communicating with the Outside World}

The smart card communicates with outside world with the help of a reader and
terminal. The reader is a card accepting device, which consist of a slot into
which card may be placed. The reader provides power and establishes a path
through which it can communicate with the terminal or host computer. Different
kinds of readers are available in the market they may or may not have the
intelligence to process data, error detection and correction capabilities if
there is some problem or the transmitted data do not compliant with the
underlying transport protocol.

Terminals are generally referred to the computers and reader is also one of
its components. Some of the commonly seen terminals are that are employed in the
stores for the payment and other that are utilized for the transactions at ATM.
The terminals may or may not have a reader in built into it as in ATM. The
terminals have an added functionality of carrying out complex information
processing and the storage capabilities.

The Communication Model

Smart card employs Application Protocol Data Unit (APDUs) for carrying out
the communication with the terminals as the computer uses TCP/IP protocol for
communicating between two or more than two interconnected computers. The
communication is half-duplex, which means the information is sent from the card
or terminal one at a time.

An APDU contains either a command or a response message, the smart card waits
for a command APDU from the host and then executes and responds to the host
computer command message, and this exchange process of information takes place
alternatively. The smart card in this communication model acts as passive slave
(smart card employs master slave model for communication).

{mospagebreak title=APDU}

The APDU is an application level protocol as specified in the ISO 7816-4,
which takes place between a smart card and a host application for the
communication purpose.

APDU consist of two structures, as defined below:

Command APDU (C-APDU: this command is used by the host application to send
command to the card.

Header: it consist of 4 bytes:-

Class of instruction (CLA)

Instruction code (INS)

Parameters: P1 and 2

Optional body: varies in length.

Lc = specifies the length of the optional body or the data field (Bytes).

Le = specifies the length of the data or the number of bytes that the host
is expecting in response to the command sent.

Data field contains the data that are sent to the card for executing the
instruction specified in the header.

Response APDU (R-APDU): this command is used by the card in order to respond
to the command send by the host application.

Optional body: it consist of data field whose length is specified by the Le

Trailer: it consist of two words SW1 and SW2 called as status word, which
denotes the processing state in the card after the execution of the command
APDU.

Structure of the APDU is given below:

1. Command APDU

Mandatory Header

Optional body

CLA

INS

P1

P2

Lc

Data Field

Le

2. Response APDU

Optional body

Mandatory Trailer

Data Field

SW1

SW1

Note:

A command is always paired with response APDU

The data field is optional in both command APDU and response APDU.

The second case further divides the command and response APDU in four
categories.

There is no transfer of data to or from the card

C- APDU: contains header only.

R- APDU: contains only the trailer status word.

There is no transfer of data to the card but data are returned from the card

C- APDU: contains Le only, which specifies the number of data bytes in the
corresponding response APDU.

There is transfer of data to the card but no data is returned from the card

C- APDU: contains Lc and data field, Lc which specifies the length of the
data field.

R-APDU: contains the trailer status word SW1 and SW2.

There is transfer of data to the card and data is returned from the card

C- APDU: contains Lc and data field and Le.

R-APDU: contains both the optional body and the trailer status word SW1 and
SW2.

{mospagebreak title=TPDU and ATR}

Transmission Protocol Data Units (TPDUs): these protocols
are used for the transmission of APDUs and the data structure that is exchanged
by the host and a card suing the transport protocol are called as TPDUs.

Mainly two types of protocols are in common use for this purpose:

T = 0: the smallest unit processed and transmitted by the protocol is single
byte, in other words it is byte oriented.

T = 1: this consists of sequence of bytes, in other words it is block
oriented.

ATR

ATR is used for conveying parameters that are required by the card to
establish a data communication pathway. This message is conveyed as soon as the
power in the smart card is set to on and stands for answer to reset (ATR).

It is usually up to 33 bytes, contains the transmission parameters such as T
= 0 and T = 1, which are supported by the card. It also carries all the
necessary information that is required to be known by the host such as:

Data transmission rate

Card hardware parameters

Chip serial number

Mask version number

{mospagebreak title=Operating System and File System}

A New Breed of Operating Systems

The commonly used smart card operating system supports a file system as
specified in ISO 7816-4. Although the may pose a little resemblance to the
commonly employed operating systems such as windows, UNIX etc.

APDUs, which are specified under ISO 7816-4 are generally file system
oriented commands. It contains a user application that mainly compromise of data
file that are used for storing application specific information. Operating
system is used implement semantics and instruction for accessing the data file.

Since, the old system does not have a well defined separation between the
operating system and the application. So, newer operating system, which support
a better system layer and downloading of custom application code are now in
wider use.

A File System Too

File system used for the smart card have a hierarchical file system and
supports three types of file:

Master file (MF): this single file is the root of the file system and
contains dedicated file and elementary files.

Dedicated file (DF): it is the directory of the smart card and holds all
files like dedicated and elementary files.

Elementary file (EF): it is a file which contains other files. It can be
further categorized into:

An operation on any file is done after opening it; some of the cards in use
open the master file as soon as the powered is on. Access condition allows the
access to file system, and it can be easily specified distinctive for distinct
read and write operation.

{mospagebreak title=Standards Governing Smart Cards}

In the last two decades a number of Smartcard standards and specifications
have been defined to cohesion between cards, IFDs and card applications by
different vendors. The most significant ones are:

ISO 7816 standards: ISO 7816 “Identification
cards—Integrated circuit cards with contacts,” published by the International
Organization for Standardization (ISO), is the most important standard defining
the characteristics of chip cards that have electrical contacts. ISO 7816 covers
various aspects of smart cards:

Part 1—physical characteristics

Part 2—dimensions and location of the contacts

Part 3—electronic signals and transmission protocols

Part 4—inter-industry commands for interchange

Part 5—application identifiers

Part 6—inter-industry data elements

Part 7—inter-industry commands for SCQL

GSM: The European Telecommunications Standards Institute
(ETSI) has published a set of standards that cover smart cards for use in public
and cellular telephone systems. The Global System for Mobile Communications
(GSM) defined by ETSI is a specification for an international terrestrial mobile
telephone system. Originally intended to cover a few countries in central
Europe, it is increasingly developing into an international standard for mobile
telephones. There are several GSM standards, in particular:

GSM 11.11

Specification of the SIM-mobile equipment interface.

GSM 11.14

Specification of the SIM application toolkit for the SIM-mobile equipment
interface.

GSM 03.48

security mechanisms for the SIM application toolkit

GSM 03.19

SIM API (Application Programming Interface) for the Java Card platform. This
standard, based on GSM 11.11 and GSM 11.14, defines Java API for developing GSM
applications that run on the Java Card platform. The API is an extension to the
Java Card 2.1 API.

EMV: The EMV specification, defined by Euro pay, MasterCard,
and Visa, is based on the ISO 7816 series of standards with additional
proprietary features to meet the specific needs of the financial industry. The
latest version of the specifications, EMV 96 version 3.1.1, was published in May
1998 and comes in three parts:

EMV ’96 Integrated Circuit Card Specification

EMV ’96 Integrated Circuit Card Terminal Specification

EMV ’96 Integrated Circuit Card Application Specification

OCF: The OpenCard Framework (OCF) was initially produced by
IBM and is currently owned and developed by the OpenCard consortium, which
includes major players in the smart card industry. OCF is the host-side
application framework providing a standard interface for interacting with card
readers and applications in the card. The architecture of OCF is a structured
model that divides functions among card terminal vendors, card operating system
providers, and card issuers. The goal is to reduce dependence on each of these
parties as well as dependence on the platform providers.

OCF is designed with the use of a smart card in a network computer in mind,
and thus is implemented in the Java programming language.

PC/SC: PC/SC specifications (Interoperability Specification
for ICCs and Personal Computer Systems) are owned and defined by the PC/SC
Workgroup, an industry consortium with major players in the smart card industry.
PC/SC defines a general-purpose architecture for using smart cards on personal
computer systems.

In the PC/SC architecture, host-side smart card applications are built on top
of one or more service providers and a resource manager. A service provider
encapsulates functionality exposed by a specific smart card and makes it
accessible through high-level programming interfaces. A resource manager manages
the smart card-relevant resources within the system for accessing to card
acceptance devices and, through them, individual smart cards.

PC/SC and OCF have many similar concepts. When running on a Windows platform,
OCF can access card acceptance devices through the installed PC/SC resource
manager.

Summary

In this article we have seen a brief overview of the technology of Smart
cards. We have looked at the basic components and constructs that make up the
Smart Card and have explored the elements of the chip which are at the centre of
this technology.

The introduction of Smart cards has been so slow because of the lack of
standards but now we have them in place and true interoperability between cards,
vendors and applications is becoming a truth. We have also enumerated the
various Smart card related standards.